[Samba] Samba+LDAP Group mapping
bajo at fet.at
Mon Dec 10 14:25:53 GMT 2007
I had the same problem and solved it for me yesterday.
I downloaded the samba.schema file from the original samba version 3.0.24
available from samba.org and copied it to /etc/ldap/schema/samba.schema,
Now I am able to find the groups within the windows security setting
dialog and with the net rpc group command.
> I'm running into weird problems after switching from tdbsam to ldapsam
> user backend. I have transferred all local unix and samba groups with the
> sambaldap-tools scripts. The 'net groupmap list' command prints all
> group mappings correctly, and I also can use all the groups present in
> LDAP for setting local file ownerships.
> However these groups don't appear in the windows security setting
> dialogues (e.g. for setting file permissions or matching local groups
> with domain groups). All I get is a list of users. Even the built-in
> groups like 'Domain Administrators', 'Replicator Operators', ... are
> I'm running the current Debian stable samba and open ldap.
> LDIF from ldap (just one group as an example):
> dn: cn=Domain Admins, ou=Groups, dc=hui, dc=net
> sambaSID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxx-512
> gidNumber: 512
> memberUid: administrator
> displayName: Domain Admins
> sambaGroupType: 2
> description: Netbios Domain Administrators
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Domain Admins
> The relevant parts of the smb.conf:
> workgroup = HUINET
> domain logons = Yes
> obey pam restrictions = Yes
> null passwords = no
> passwd program = /usr/sbin/smbldap-passwd "%u"
> passwd chat = "...."
> ldap password sync = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=samba,ou=DSA,dc=hui,dc=net
> ldap suffix = dc=hui,dc=net
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> ldap delete dn = no
> delete user script = /usr/sbin/smbldap-userdel "%u"
> delete user script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g "%u"
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba